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[57] ABSTRACT 

A computer network having multiple, dissimilar network 
devices includes a system for implementing high-level, 
network policies. The high-level policies, which are gener- 
ally device -independent, are translated by one or more 
policy servers into a set of rules that can be put into effect 
by specific network devices. Preferably, a network admin- 
istrator selects an overall traffic template for a given domain 
and may assign various applications and/or users to the 
corresponding traffic types of the template. Location- 
specific policies may also be established by the network 
administrator. The policy server translates the high-level 
policies inherent in the selected traffic template and location- 
specific policies into a set of rules, which may include one 
or more access control lists, and may combine several 
related rules into a single transaction. Intermediate network 
devices, which may have one or more roles assigned to their 
interfaces, are configured to request traffic management 
information from the policy server which replies with a 
particular set of transactions and rules. The rules, which may 
correspond to the particular roles assigned to the interfaces, 
are then utilized by the intermediate devices to configure 
their particular services and traffic management mecha- 
nisms. Other rules are utilized by the intermediate devices to 
classify packets with a particular priority and/or service 
value and to treat classified packets in a particular manner so 
as to realize the selected high-level policies within the 
domain. 

18 Claims, 9 Drawing Sheets 
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METHOD AND APPARATUS FOR DEFINING 
AND IMPLEMENTING HIGH-LEVEL 
QUALITY OF SERVICE POLICIES IN 
COMPUTER NETWORKS 

FIELD OF THE INVENTION 5 

The present invention relates generally to computer 
networks, and more specifically, to a method and apparatus 
for applying high-level, quality of service policies at dis- 
similar computer network devices. 10 

BACKGROUND OF THE INVENTION 

A computer network typically comprises a plurality of 
interconnected entities that transmit (i.e., "source") or 
receive (i.e., "sink") data frames. A common type of com- c 
puter network is a local area network ("LAN") which 15 ID ) field m - ™ e "^.priority field 114 permits 

typically refers to a privately owned network within a single network devices to **** a desired P riorit y of data unk 
building or campus. LANs employ a data communication frames * In Particular, in an IEEE appendix, referred to as the 
protocol (LAN standard), such as Ethernet, FDDI or token 8021 P standard, the IEEE has defined eight possible values 
ring, that defines the functions performed by the data link _ of ™* P riorit y each of which » associated with a 

20 specific traffic type. The proposed user priority values and 
corresponding traffic types specified in the 802. lp standard 
are as follows. 



field 104. MAC header 102 includes a MAC destination 
address (MAC DA) field 106 and a MAC source address 
(MAC SA) field 108. Recently, a proposal was made to 
insert a new field after the MAC SA field 108. More 
specifically, the Institute of Electrical and Electronics Engi- 
neers (IEEE) is working on a standard, the IEEE 802.1Q 
draft standard, for adding information to MAC headers. In 
particular, the 802. 1Q standard defines a tag header 110 
which is inserted immediately following the MAC DA and 
MAC SA fields 106, 108. 

The tag header 110 comprises a plurality of sub-fields, 
including a Tag Protocol Identifier (TPID) field 112, a 
user_priority field 114, a Canonical Format Indicator (CFI) 
field 116 and a Virtual Local Area Network Identifier 



and physical layers of a communications architecture (i.e., a 
protocol stack), such as the Open Systems Interconnection 
(OSI) Reference Model. In many instances, multiple LANs 
may be interconnected by point-to-point finks, microwave 
transceivers, satellite hook-ups, etc. to form a wide area 
network ("WAN"), metropolitan area network ("MAN") or 
intranet. These LANs and/or WANs, moreover, may be 
coupled through one or more gateways to the Internet. 

One or more intermediate devices are often used to couple 
LANs together and allow the corresponding entities to 
exchange information. For example, a bridge may be used to 
provide a "bridging" function between two or more LANs. 
Alternatively, a switch may be utilized to provide a "switch- 
ing" function for transferring information, such as data 
frames, among entities of a computer network Typically, the 
switch is a computer having a plurality of ports that couple 
the switch to several LANs and to other switches. The 
switching function includes receiving data frames at a 
source port and transferring them to at least one destination 
port for receipt by another entity. 

Switches may operate at various levels of the communi- 
cation protocol stack. For example, a switch may operate at 
layer 2 which, in the OSI Reference Model, is called the data 
link layer and includes the Logical T inV Control (LLC) and 
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An intermediate device may provide a plurality of trans- 
mission priority queues per port and, pursuant to the 802. lp 

Media Access Control (MAC) sub-layers. Data frames at the 45 standard, may assign frames to different queues of a desti- 

data link layer typically include a header containing the nation port on the basis of the frame's user priority value. 

MAC address of the entity sourcing the message, referred to For example, frames with a user priority of "0" are placed 

as the source address, and the MAC address of the entity to in the "0" level priority queue (e.g., non-expedited traffic), 

whom the message is being sent, referred to as the destina- whereas frames with a user priority of "3" are placed in the 

don address. To perform the switching function, layer 2 50 level "3" priority queue. Furthermore, frames stored in a 

switches examine the MAC destination address of each data higher level queue (e.g., level 3/excellent effort) are prefer- 

frame received on a source port. The frame is then switched ably forwarded before frames stored in a lower level queue 

onto the destination port(s) associated with that MAC des- (e.g., level 1/background). This is commonly referred to as 

tination address. Priority Queuing. Thus, by setting the contents of the 

Other devices, commonly referred to as routers, may 55 user_priority field 114 to a particular value, a device may 

operate at higher communication layers, such as layer 3 of affect the speed with which the corresponding frames 

the OSI Reference Model, which in TCP/IP networks cor- traverse the network. 

responds to the Internet Protocol (IP) layer. Data frames at if a particular intermediate device has less than eight 

the IP layer also include a header which contains an IP priority queues per port, several of the IEEE traffic types 

source address and an IP destination address. Routers or 60 mav De combined. For example, if only three queues are 



layer 3 switches may re-assemble or convert received data 
frames from one LAN standard (e.g., Ethernet) to another 
(e.g. token ring). Thus, layer 3 devices are often used to 
interconnect dissimilar subnetworks. 
User Priority 

FIG. 1 is a block diagram of a data link (e.g., Ethernet) 
frame 100 which includes a MAC header 102 and a data 



present, then queue 1 may accommodate best effort, excel- 
lent effort and background traffic types, queue 2 may accom- 
modate controlled load and video traffic types and queue 3 
may accommodate voice and network control traffic types. 
65 The IEEE 8Q2.1p standard also recognizes that intermediate 
devices may regenerate the user priority value of a received 
frame. That is, an intermediate device may forward the 
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frame with a different user priority value (still within the predefined criteria. When a packet is received by such a 

range of 0-7) than the ooe it had when the frame was device, it is tested against each of the criteria statements of 

received. Nevertheless, the standard recommends leaving the corresponding list. If a match is found, the packet is 

the user priority value un-changed. either forwarded or dropped as provided by the list. The 

Type of Service 5 criteria may be source address, destination address, or 

FIG. 2 is a block diagram of a portion of an Internet upper-layer application based on their TCP/UDP port num- 

Protocol Version 4 (IPv4) compliant IP header 200. The IP * ers - F ™ « Bun P te - ^« ma / be 

header 200 is also made up of a plurality of fields, including forwarded but cause all Telnet traffic to be dropped. Access 

a type of_service (ToS) field 202, a time to live (TTL) field ^ m W * ^bhsbed for both inbound and outbound 

204, a^ IP source address (IP SA) field 206 and an IP 10 traffic and are most commonly configured at layer 3 devxces 

destination address (IP DA) field 208. The ToS field 202 is ' ocate f 1 at *» b ° rder of a De ' wolk < l e , ' g atewavs or 

intended to allow an entity to specify the particular service fircwalls ) to P rov,de to network - 

it wants, such as high reliability, fast delivery, accurate Congestion Control 

delivery, etc., and comprises a number of sub-fields. The Congestion typically refers to the presence of too many 

sub-fields include a three bit IP precedence (IPP) field 210, 15 packets in a subnet or a portion of a network, thereby 

three one bit flags (D, T and R) 212, 214 and 216 and two degrading the network's performance. Congestion occurs 

unused bits 218. By setting the various flags, a host may when the network devices are unable to keep up with an 

indicate which overall service it cares most about (i.e., increase in traffic. As described above, a layer 3 device 

Delay, Throughput and Reliability). Although the ToS field typically has one or more priority queues associated with 

202 was intended to allow layer 3 devices to choose between 20 each interface. As packets are received, they are added to the 

different links (e.g., a satellite link with high throughput or appropriate priority queue for forwarding. Nevertheless, if 

a leased line with low delay) depending on the service being packets are added to the queue faster than they can be 

requested, in practice, most layer 3 devices ignore the forwarded, the queue will eventually be filled forcing the 

contents of the ToS field 202 altogether. Instead, protocols at device to drop any additional packets for that queue. The 

the transport layer (layer 4) and higher typically negotiate 25 dropping of packets when a queue is full is referred to as tail 

and implement an acceptable level of service. Version 6 of drop. The point at which tail drop occurs, moreover, may be 

the Internet Protocol (IPv6) similarly defines a traffic class configured to something less than the capacity of the queue, 

field, which is also intended to be used for defining the type Since tail dropping discards every packet over the queue 

of service to be applied to the corresponding packet. ^ limit, it often affects multiple upper layer applications simul- 

Recently, a working group of the Internet Engineering taneously. Furthermore, many upper layer applications, such 

Task Force (IETF), which is an independent standards as TCP, re-send messages if no acknowledgments are 

organization, has proposed replacing the ToS field 202 with received. Thus, the presence of tail dropping can cause 

a one octet differentiated services (DS) field 220. The first global synchronization among upper layer applications, sig- 

six bits of the DS field specify a differentiated services 35 nificantly exacerbating the congestion problem. To avoid 

codepoint while the last two bits are unused. Layer 3 devices global synchronization, some layer 3 devices use Random 

that are DS compliant apply a particular per-hop forwarding Early Detection (RED), which selectively drops packets 

behavior to packets based on the contents of their DS fields when congestion first begins to appear. By dropping some 

220. Examples of per-hop forwarding behaviors include packets early before the priority queue is full, RED avoids 

expedited forwarding and assured forwarding. The DS field ^ dropping large numbers of packets all at once. In particular, 

220 is typically loaded by DS compliant intermediate when a calculated average queue depth exceeds a minimum 

devices located at the border of a DS domain, which is a set threshold, the device begins dropping packets. The rate at 

of DS compliant intermediate devices under common net- which packets are dropped increases linearly as a function of 

work administration. Thereafter, interior DS compliant a probability constant When a maximum threshold is 

devices along the path simply apply the assigned forwarding 4g reached, all additional packets are dropped. An extension to 

behavior to the packet. RED is Weighted Random Early Detection (WRED), which 

Although layer 3 devices, like their layer 2 counterparts, applies different thresholds and probability constants to 

typically have multiple priority queues per port or interface, packets associated with different traffic flows. Thus, WRED 

layer 3 devices often apply scheduling patterns that are more allows standard traffic to be dropped more frequently than 

sophisticated than simple Priority Queuing. For example, 50 premium traffic during periods of congestion, 

some layer 3 devices forward one packet from each queue in Service Level Agreements 

a round robin fashion. Another approach, referred to as fair jo interconnect dispersed computer networks, many orga- 
queuing, simulates a byte-by-byte round robin to avoid nizations rely on the infrastructure and facilities of service 
allocating more bandwidth to sources who transmit large providers. For example, an organization may lease a number 
packets than to those who only send small packets. Another 55 0 f Tl lines to interconnect various LANs. These organiza- 
approach, called Weighted Fair Queuing (WFQ), allocates tk> ns typically enter into service level agreements with the 
more bandwidth to specific traffic flows or sources, such as service providers, which include one or more traffic speci- 
fic servers, based on source IP address, Transmission Con- fi ers . These traffic specifiers may place limits on the amount 
trol Protocol (TCP) or User Datagram Protocol (UDP) of resources that the subscribing organization will consume 
source port, etc. 60 f 0 r a given charge. For example, a user may agree not to 
Some networking software, including the Internetwork send traffic that exceeds a certain bandwidth (e.g., 1 Mb/s). 
Operating System (IOS) from Cisco Systems, Inc., support Traffic entering the service provider's network is monitored 
the creation access control lists or filters, which are typically (i.e., "policed**) to ensure that it complies with the relevant 
used to prevent certain traffic from entering or exiting a traffic specifiers and is thus "in-profile'\ Traffic that exceeds 
network. In particular, certain layer 3 devices utilize access as a traffic specifier (i.e., traffic that is "out-of-profile") may be 
lists to control whether routed packets should be forwarded dealt with in a number of ways. For example, the exceeding 
or filtered (i.e., dropped) by the device based on certain traffic may be dropped or shaped. With shaping, the out-of- 
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profile traffic is temporarily stored until the demand drops one or more policy servers into a set of rules that can be 

below the threshold. Another option is to mark the traffic as applied by specific network devices. In particular, a network 

exceeding the traffic specifier, but nonetheless allow it to administrator first selects an overall traffic template for a 

proceed through the network. If there is congestion, an given network domain and may assign various applications 

intermediate device may drop this "marked" or down graded 5 anQ V° r users to the corresponding traffic types of the tem- 

traffic first in an effort to relieve the congestion. Another P late * The network administrator may also select or define 

option is to change the accounting actions for this out-of- one or more location-specific policies. As information is 

profile traffic (i.e., charge the user a higher rate). added t0 the template and the location-specific policies are 

Allocation of Network Resources defined > one or morc corresponding data structures may be 

A . _ , . T , „ . in up-dated. The selected traffic template, location-specific 

As shown, computer networks include numerous services iU v . , , A • \ . 

. c ■ •*«= policies and data structures are received at one or more 

and resources for use in moving traffic around the network. r . . , « • 

„ tj-rr i i- i ut-* n.u . policy servers within the network domain. Each policy 

For example, different network links, such as Fast Ethernet, r ' . , , - • i_ * • *i_ 

» i rp c w , / .pp! m\ , . ' server translates the high-level policies inherent in the 

Asynchronous Transfer Mode (ATM) channels, network . , , t , . A * . r ... , . A 

, .11. vi 4 a • j jlj selected traffic template, location-specific policies and data 

tunnels, satellite links, etc., offer unique speed and band- A . , / e \ i_- i i . j 

... n i • * j- * j - i is structures into a set of rules and may combine several related 

width capabilities. Particular intermediate devices also 13 , . - . TT . . . , , . 

. , , * i_ i_ r niles uito a single transaction. Upon initialization, lnterme- 

rnclude specific resources or services, such as number oi j- . j • . . re . • c c 

. u r . .,V c . diate devices request traffic management information from 

priority queues, filter settings, availability of different queue . ^ .. * .. 

i , 7 • I- * i i . the one or more policy servers. The policy server replies 

selection strategies, congestion control algonthms, etc. . t , . . \ -/ . , r . ' 4 ..\ , 

kI , & / r f /. with a particular set of transactions and rules that are utilized 

Nonetheless, these types of resources or services are highly l .l • „ j- * j • r.n: * j • 

^ t^l * • . * *. j • f j 20 by the intermediate devices for traffic management deci- 

device-specinc. That is. most computer networks include zu : ■ ^ it _ , .i_ * i 

j • » j * r * j u * sions. By propagatmg these rules across the network 

intermediate devices manufactured by many different , . ,_ f t . ?. . • . j- . j * 

vendors, employing different hardware platforms and soft- dwnau ". ««* of the dissimilar intermediate devices can 

ware solutions/Even intermediate devices from the same ^figure ltS corresponding traffic management components 

. i t . * .« and mechanisms to operate in such a manner as to imple- 

vendor may be running different software versions and thus # ,. . , t ,. * t . j u .u * . j • 

*j j-i* tf . 4 - ri tl *i_ * ** 25 nient the high-level policies selected by the network admin- 

provide different functionality. Thus, there is no consistency /:> 

of resources at each of the intermediate devices and, ^ * .„ „ . , . , ^„„ v 

therefore.itisgeneraUynotpossibletosimplyselectasingle ^ore specifically a particular differentiated service (DS) 

set of parameters for use in configuring aU of them. codepomt is preferably assigned to each traffic type of the 

... . , ~ j selected traffic template, based on the overall priority estab- 

In addition, the allocation of network resources and ^ b ^ netWQrk administrator . 5 S J depoint 

services is becoming an important Ksue to network admin- esseQtiall ^ ^ overa „ treatment of the correS po nding 

istrators and serv.ee providers as greater demands are being ^ ^ networkdomain . Aset of classification 

placed on then* networks. Nonetheless, at the present time, i *u * j u *l r • * 

\ r t . - t *t r * ■ . «- rules are then generated by the policy server instructing 

mere are few if any techniques available for applying traffic . . , „ , . . . , ^ i * «r * **u 

*: ^ _ i i . j !l ii mtermediate devices to associate particular traffic types with 

management pouctes across a network, instead, the alloca- _ , . ^ „ , ■ * ^ i *u i 

° * , . . . „ . . , 35 then corresponding US codepomts. For example, the clas- 

tion of network resources and services is typically achieved . c , ° . . , j- * j - * i j 

„ . , . _ - . . j. smcation rules may direct intermediate devices to load a 

by manually configuring the mterfaces of each intermediate DS ^ mt the DS field of 

device. For example, to the extent there are parameters f . . n . , /¥1 iv . ... f IT1 

. r . , , i Internet Protocol (IP) messages, depending on the type of IP 

associated with a particular quexuug strategy availab e at a ffl ( J ^ ^ , stock exch 

given intermediate device (e*. queue kngth for Ud drop appji^^evi^ ^ are not ns^mplUrt may receive 

and mirmnum. maximum and mark probability for RED), classincation mles instructing then, t0 i oad , ^ va iue 

these parameters must be set devicc-by-device by the net- rf Qr user riori fields of reccived 

work administrator. This is a time consuming and error , . ~L ™ , -IT , . . , 

, ' , ., , * . , packets or frames. The classification rules, which may 

prone solution. In addition, there are few if any tools mchlde 0Qe Qr more ^ ljs aK ferabl 

currently available to network administrators suggestmg provided to aU mtermcdia te devices located at the boundary 

how various ; network resources and services might be cober- f ^ ne(work x ^ ^ Mn ^ ^ 

ently allocated in order to implement any general policy fc corresponding DS codepoint as soon as it enters the 

Accordingly, the ability to allocate network . services and domain ^^ion rules may also be used to associate 

resources to ^piemen, network-wide quality of service ^ of (QoS) labeb ^ ^ ^ QoS 

policies .s difficult and time-consuming. 5o ^^^^^^^^^inm^s^mc 

SUMMARY OF THE INVENTION management decisions, although, unlike the DS codepoints 

which are generally present in messages traveling the 

It is an object of the present invention to provide a method ne twork, QoS labels are only associated with messages 

and apparatus for applying high-level quality of service while they rcmain mc intermediate device. Classifi- 

policies. 55 ca tion rules may also be used to assign DS codepoints and/or 

It is a further object of the present invention to provide a Q G S labels to data traffic generated within the network 

method and apparatus for translating high-level policies into domain from un-trusted sources. 

a form that may be understood and applied by numerous Xo implement specific traffic management policies or 

dissimilar network devices. treatments, the policy server also defines a plurality of 

It is a further object of the present invention to classify 60 behavioral rules that basically instruct the intermediate 

data traffic upon its entering a given network domain and to devices how to manage data traffic that has been associated 

manage that traffic based on its classification. with a particular DS codepoint, QoS label, type of service 

Briefly, the invention relates to a method and apparatus and/or user priority value. For example, a behavioral rule 

for implementing high-level policies within a computer may instruct the intermediate devices to place all messages 

network having multiple, dissimilar network devices. The 65 associated with a particular DS codepoint (e.g., data frames 

high-level policies, which are generally device-independent, from a stock exchange application or from a corporate 

are selected by a network administrator and translated by executive) in a high priority queue. To implement traffic 
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management policies that are independent of DS codepoints switch 308 and routers 316-318, by links 324o-324c. The 

and/or QoS labels, the policy servers preferably generate one network 300 also includes one or more repositories, such as 

or more configuration rules. Configuration rules generally repository 326, that is preferably connected to each policy 

instruct intermediate devices how to set-up their various server 322 by a link 328. The repository 326 may be an 

traffic management components or mechanisms. For 5 organization-based directory server, 

example, a configuration rule may contain a list of conges- The network 300 may further include one or more 

tion algorithms in descending order of preference. Upon Dynamic Host Configuration Protocol (DHCP) servers, such 

receipt of the configuration rule, an intermediate device as scrvcr 329 » mat k also coupled to the policy server 322 

examines the list and preferably adopts the first congestion either d*"* 5 ^ or indirectly. DHCP, which is defined at 

algorithm that it supports. 10 Rec * uest fo J ?°™ m ™*J*I C) 2131 ! 1 is bu * U *° n a ClieDt ; 

f , c , L , , server model, where DHCP servers allocate IP addresses and 

In the preferred embodiment, the policy servers and dehvcr network configuration parameters to DHCP clients 

intermediate devices utilize an extension to the Common ( c g ? hosts or end sta tions). Because IP addresses can be a 

Open Policy Service (COPS) protocol to exchange mes- resource in some computer networks, DHCP servers 

sages. More specifically, an intermediate device sends a assign them only for limited periods of time (referred to as 

Query Configuration message to the policy server that 1S a lease). Once a lease has expired, the corresponding IP 

contains specific information about itself, such as the num- address may be re-assigned to another host, 

ber and type of interfaces, whether the device is at a Attached to the switches 306-314 and routers 316-318 

boundary of the intermediate domain and/or whether its are a plurality of end stations 330-346 and servers 348-352, 

interfaces are coupled to trusted or un-tmsted devices. This which may be file servers, print servers, etc. In particular, 

device-specific information may be loaded in the query 20 four end stations 330-336 are connected to switch 306, one 

message as COPS objects. In response, the policy server end station 338 and one server 348 are connected to switch 

selects a particular set of transactions or rules responsive to 308, two end stations 340 and 342 are connected to switch 

the device-specific information and provides them to the 310, one server 350 is connected to router 318, two end 

intermediate device. Preferably, the transactions and rules stations 344 and 346 are connected to switch 312, and one 

are similarly embedded as COPS objects in response mes- 25 scrver 352 ^ connected to switch 314. 

sages. As described above, the intermediate device reviews Software entities (not shown) executing on the various 

these transactions and rules and implements those rules end stations 330-346 and servers 348-352 typically com- 

which are compatible with its particular traffic management municate with each other by exchanging discrete packets or 

components and mechanisms. frames of data *»°iding to predefined protocols, such as the 

30 Transmission Control Protocol/Internet Protocol (TCP/IP), 

BRIEF DESCRIPTION OF THE DRAWINGS the Internet Packet Exchange (IPX) protocol, the AppleTalk 

protocol, the DECNet protocol or NetBIOS Extended User 

The above and further advantages of the invention may be Interface (NetBEUI). In this context, a protocol consists of 

better understood by referring to the following description in a se t 0 f m i es defining how the entities interact with each 

conjunction with the accompanying drawings, in which: 3S omer £> a ta transmission over the network 300 consists of 

FIG. 1, previously discussed, is a block diagram of a prior generating data in a sending process executing on a first end 

art frame; station, passing that data down through the layers of a 

FIG. 2, previously discussed, is a block diagram of a protocol stack where the data are sequentially formatted for 

portion of a prior art Internet Protocol (IP) header; delivery over the links as bits. Those frame bits are then 

FIG. 3 is a highly schematic, partial diagram of a com- 40 received at the destination station where they are 

puter network* re-assembled and passed up the protocol stack to a receiving 

n - * i_i i. i i_i i j- c process. Each layer of the protocol stack typically adds 

FIG. 4 is a hxgbly schematic partial block diagram of a ^ (m me form of / header) t0 ^ ^ ^ 

policy server in accordance with the present invention; by ^ upper kyer ^ ^ da{a ^ n6s ^ ^ M ^ 

FIG. 5 is a highly schematic, partial block diagram of an 45 destination station, these headers are stripped off one-by-one 

intermediate device in accordance with the present inven- ^ t h e f rame propagates up the layers of the stack until it 

uo °; arrives at the receiving process. 

FIG. 6 is a preferred traffic template that may be selected Preferably, routers 316-318 are layer 3 intermediate 

by a network administrator; and devices and thus operate at the internetwork layer of the 

FIGS. 7A-7F are block diagrams of data structures asso- 50 communication protocol stack implemented within the net- 

ciated with the template of FIG. 6. work 300. For example, routers 316-318 preferably include 

an Internet Protocol (IP) software layer, as defined by the 

DETAILED DESCRIPTION OF THE well-known TCP/IP Reference Model. Routers 316-318 

PREFERRED EMBODIMENT implement network services such as route processing, path 

FIG. 3 is a highly schematic block diagram of a computer 55 determination and path switching functions. Switches 

network 300. The network 300 may be segregated into one 306-314 may be layer 2 intermediate devices and thus 

or more network domains by a network administrator, such operate at the data link layer of the corresponding commu- 

as network domains 302 and 304, as described below. The nication protocol stack. Switches 306-314 provide basic 

network 300 includes a plurality of entities, such as end bridging functions including filtering of data traffic by 

stations and servers, interconnected by a plurality of inter- 60 medium access control (MAC) address, "learning'* of a 

mediate devices, such as bridges, switches and routers. In MAC address based upon a source MAC address of a frame 

particular, network 300 includes a plurality of switches and forwarding of the frame based upon a destination MAC 

306-314 and routers 316-318 interconnected by a number address or route information field (RIF). Switches 306-314 

of links 320a to 32Q£ which may be high-speed point-to- may further provide certain path switching and forwarding 

point or shared links. Each domain 302 and 304, moreover, 65 decision capabilities normally only associated with routers, 

includes at least one policy server 322 that is preferably In the illustrated embodiment, the switches 306-314 and 

connected to one or more intermediate devices, such as routers 316-318 are computers having transmitting and 
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receiving circuitry and components, including network 418. As shown, the device-specific filter entity 416 commu- 

interface cards (NICs) establishing physical ports, for nicates with both the policy rule generating engine 414 and 

exchanging data frames. The switches 306-314 and routers the communication engine 418. The communication engine 

316-318 further comprise programmable processing 418^ moreover, is preferably configured to exchange mes- 

elements, which may contain software programs pertaining 5 sages ^th the intermediate devices (e.g., switches 306-314 

to the methods described herein. Other computer readable and routcrs 315-318) 0 f network 300. That is, communica- 

media may also be used to store the program instructions. In tion cngme 418 is connected to or includes conventional 

addition, associated with each port or physical network circuit for ^n^g and rece iving messages across 

^°!!?u. D * ™ „™™ i°JL°? 0011060110115 or interfaces netWQrk such B ^ 32 40_324c. 

A server suitable for use as policy server 322 is any 



defined by the IP software layer. 



The terms router or layer 3 intermediate device as used . 4 , v ™rv TT • L j i lC 

. • » j j u ji . • * j . - » IntelAVindows NT® or Unix-based platform, 

herein are intended broadly to cover any intermediate device r 

operating primarily at the internetwork layer, including, FIG - 5 fe a P*** 1 block diagram of an intermediate 
without limitation, routers as defined by Request for Com* device > such & router 318 ' ^ accordance with the preferred 
ments (RFC) 1812 from the Internet Engineering Task Force - , embodiment of the present invention. Router 318 preferably 
(IETF), intermediate devices that are only partially compli- Mudes a communication engine 510 that is coupled to a 
ant with RFC 1812, intermediate devices that provide addi- management controller 512. The commumcation 
tional functionality, such as Virtual Local Area Network en 8 me 510 1S configured to exchange messages with the 
(VLAN) support, IEEE 802. 1Q support and/or IEEE 802.1D P olic y XTWT 322 - communication engine 510, like 
support, etc. The terms switch and layer 2 intermediate 20 ^ communication engine 418 at policy server 322, is 
device are also intended to broadly cover any intermediate similarly connected to or includes conventional circuitry for 
device operating primarily at the data link layer, including, transmitting and receiving messages across the network 300. 
without limitation, devices that are fully or partially com- ^ traffic management controller 512, which includes a 
pliant with the IEEE 802.1D standard and intermediate P olic y ^ decoder 514, is coupled to several components 
devices that provide additional functionality, such as Virtual « and mechanisms. In particular, traffic management control- 
Local Area Network (VLAN) support, IEEE 802.1Q support ler 512 * cou P led to a packet/frame classifier 516, a traffic 
and/or IEEE 802. lp support, Asynchronous Transfer Mode conditioner entity 518, a queue selector/mapping entity 520 
(ATM) switches, Frame Relay switches, etc. and a scheduler 522. Hie traffic conditioner 518 also 

It should be understood that the network configuration includcs sub -components, including one or more 

300 of FIG. 3 is for illustrative purposes only and that the 30 mCtCnDg $ ™> ° nC ° r m ° rc ™ rk £ CDtlUCS ^ ^ 

present invention will operate with other, possibly far more one or more shaper/dropper entities 528. The queue selector/ 

complex, network topologies. It should be further under- m W m * ^ \*M land scheduler ^518 operate on the various 

stood that the repository may be indirectly connected to the ? ueu f established by router 318 for its ports and/or 

policy servers (e.g., through one or more intermediate *terfaces such as queues 530a-530e corresponding to an 

devices). 35 interface 532. 

As described above, computer networks often include Creation of ^ Domains and Selection of High-I^vel 

intermediate devices from many different vendors or, even if Policies 

from the same vendor, having different hardware architec- First* the network administrator preferably identifies vari- 
tures or executing different versions of software. ous regions of his or her computer network 300 to which he 
Accordingly, these intermediate devices provide* many dif- 40 or she wishes to have different, high-level traffic manage- 
ferent features and options. For example, a first switch may ment polices applied. The identification of such regions may 
provide only 2 priority queues per port, whereas a second depend on any number of factors, such as geographic 
switch may provide 8 priority queues per port. With regard location, business unit (e.g., engineering, marketing or 
to congestion algorithms and techniques, some intermediate administrative), anticipated network demands, etc. The net- 
devices may only support tail dropping, while others may be 45 work adimnistrator preferably defines a separate Quality of 
selectively configured to provide random early detection Service (QoS) or network domain for each region and 
(RED). Thus, it is extremely difficult for a network admin- assigns a primary policy server (e.g., policy server 322) to 
istrator to configure all of the intermediate devices in each QoS domain (e.g., domain 302). Thus, a QoS domain 
accordance with a single, uniform traffic management plan. is basically a logical set of entities and intermediate devices 
As result, network-wide quality of service is generally not 50 defined by the network administrator. As described below, 
available. As described herein, the present invention pro- the primary policy server is responsible for propagating the 
vides a method and apparatus for allowing network admin- high-level traffic management polices to the intermediate 
istrators to apply high-level traffic management policies that devices within its QoS domain. 

attempt to impose such a uniform plan, despite the presence It should be understood that the policy server 322 may, 

of dissimilar intermediate devices in their networks. The 55 but need not, be physically located within its QoS domain, 

traffic management policies, moreover, may be automati- It should be further understood that back-up or standby 

cally propagated to and implemented by the various inter- policy servers may also be assigned to the QoS domains 

mediate devices. should any primary policy server fail. 

FIG. 4 is a highly schematic, partial block diagram of In addition, the boundaries of the network domains 302, 

policy server 322 in accordance with the preferred embodi- 60 304 may be established so as to only include trusted devices, 

ment of the present invention. The policy server 322 is A "trusted device" is an entity (e.g., an end station or server) 

comprised of several components, including a policy trans- which is considered to correctly classify the packets that it 

lator 410 having one or more storage devices AtXla-AMc. sources and to keep its transmission of packets in-profile 

Policy server 322 also includes a policy validation tool (i.e., within the bounds of the traffic specifiers of any 

(PVT) 413 and a policy rule generating engine 414 that are 65 applicable service level agreements). A packet is classified 

each in communication with the policy translator 410, a by loading its user priority field 114, ToS fields 202 and/or 

device -specific filter entity 416 and a communication engine DS field 220 with a particular value or codepoint. Similarly, 
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an "un-trusted device" is an end station or server which is 614 or may change these values as desired. The traffic types 

not assumed to correctly classify its own packets and/or and DS codepoints for a given template are preferably 

maintain its flow of traffic within all applicable traffic derived from empirical studies and analysis of the computer 

specifiers. Packets from an un-trusted device must be exam- network operations and usages of such industries and orga- 

ined and reclassified as necessary. Additionally, the flow 5 nizations. 

from un-trusted devices must be policed. In a similar in order to select the desired template and enter the 
manner, the ports of an intermediate device that are coupled requested information, the network administrator may inter- 
to one or more un-trusted devices are referred to as "un- act with various windows of a graphical user interface 
trusted ports", whereas ports coupled to only trusted devices (GUI). These windows, for example, may present fields, 
are "trusted ports". 10 such as the entries for columns 616 and 618, having pull- 
Once the QoS domains have been defined, the network down menus that request information from the network 
administrator preferably proceeds to select the high-level, administrator. The information may be entered by the net- 
device-independeot traffic management policies that are to work administrator using a mouse or keyboard m a conven- 
be implemented within each domain. First, the network manner - Tf" ^* m * d *™'™ K ?? T GT > 15 P ? fer * b ly 
administrator selects an overall traffic template that estab- 15 %°* u » operation to the Cisco Works Windows interface 
t . — . ... f u . , (tor conngunng router interlaces) or the VlanUirector inter- 
lisbes the different traffic types that are to be supported ^ rf ^ ^ ^ fof Interactworks (CWSI) 

mthntheiespecu^ interface (for configuring VLANs), both from Cisco 

administrator may select one of several available traffic Systems Inc 

templates. An ' exemplary ^affic template may be the traffic h ^ ^ undcrslood that other means of associating 

type list estabhshed by the IEEE in the 802.1p standard, 20 tnffic typcs to ^ appHcatioDS ^ DS codepoints" 

which defines the following traffic types: best effort, besides traffic templates, may be employed. It should also be 

background, excellent effort, controlled load, video, voice understood that network administrators may select different 

and network control, as described above. Other traffic tem- templates or adjust their parameters for different times 

plates include a financial template, a manufacturing template 0 f d av or for emergency situations, 

and a university or education template. 25 Next? the ne twork administrator defines any location- 

FIG. 6 is a highly schematic representation of a financial specific policies. For example, the network administrator 

template 610 for use by a network adiniriistrator in accor- may specify that intermediate devices located at the border 

dance with the present invention. As shown, the financial of the QoS domain should only accept traffic that belongs to 

template 610 includes a first column 612 listing a plurality a specific group, such a company employees, department 

of available traffic types corresponding to the financial 30 members, etc. Any traffic which does not belong to the group 

template 610. The available traffic types include best effort, should be dropped. The network administrator may also 

background, CEO best effort, voice, business applications, define one or more lists of global parameters that are to be 

stock exchange applications, 500 kb/s video conference, 2 utilized throughout the QoS domain. An example of a global 

Mb/s video conference and network control. A second parameter list is a prioritized list of queue scheduling 

column 614 identifies a particular differentiated service (DS) 35 algorithms from first choice to last choice, such as WFQ, 

value corresponding to each traffic type. The DS codepoint WRR and Priority Queuing (PQ). Other examples of global 

establishes the overall treatment that is to be assigned to the parameter fists include congestion algorithms (e.g., RED 

corresponding traffic type within the respective QoS domain over tail dropping), enabling multi-link Point-to-Point Pro- 

302. To fit within the first six bits of DS field 220, DS tocol (PPP) fragmentation, if available, and enabling Virtual 

codepoints are in the range of 0-63. As described below, the 40 Circuit (VC) merging, if available. 

DS codepoints may also be used by intermediate devices in Associated with the template 610 are one or more data 

loading the user priority and/or ToS fields 114, 202 with structures and, as information is entered into the template 

corresponding values during classification. 610, these data structures are preferably updated accord- 

A third column 616 identifies the network users who may ingly. As described below, these data structures are used to 

take advantage of the various traffic types. For example, the 45 generate the traffic management rules implemented by the 

network administrator may decide that any network user intermediate devices. FIGS. 7A-7E are block diagrams of 

may utilize the best effort, background, voice, 500 kb/s exemplary data structures associated with template 610. In 

video, 2 Mb/s video and network control traffic types. particular, FIG. 7A is a network user table 710 that maps 

However, only the chief executive officer (CEO) may take users identified in column 616 of template 610 with actual 

advantage of the CEO best effort traffic type and only 50 user names and/or IP addresses and masks. User table 710 

network users from the marketing, administrative, preferably includes a user column 712, a name column 714, 

executive, financial analysis and financial planning depart- an IP address column 716, an IP mask column 718 and a 

ments may utilize the business applications traffic type. plurality of rows such that the intersection of a column and 

Similarly, only network users from the financial analysis, row defines a table entry. As information is entered in 

financial planning and trading departments may use the ss column 616 of template 610, corresponding entries are made 

stock exchange applications traffic type. A fourth column in the user column 712 of table 710. As described below, 

618 identifies the application programs corresponding to information for columns 714, 716 and 718 is subsequently 

each traffic type. For example, available business appHca- added by the policy server 322. FIG. 7B is an application 

tions may include a spreadsheet application, a word proces- table 730 that maps the applications programs entered on the 

sor application, or any of the well-known and commercially 60 financial template 610 to their network protocol, such as the 

available business applications from SAP AG of Walldorf, Transmission Control Protocol (TCP) or User Datagram 

German or PeopleSoft, Inc. of Pleasanton, Calif. A stock Protocol (UDP) port numbers. In particular, application 

exchange application may be TIB from TIB CO Inc. of Palo table 730 preferably includes a first column 732 listing the 

Alto, Calif. The identification of network users in column application programs identified in the selected template 610 

616 and the application programs in column 618 are pref- 65 and a second column 734 that identifies both the transport 

erably entered by the network administrator. The network protocol and the port number for each corresponding appli- 

administrator may rely on default DS codepoints in column cation program. 
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FIG. 7C is a classifier table 740 that maps DS codepoints, translator component 410, as shown by arrow 420. Policy 

including those specified by the network administrator in the translator 410 examines the high-level policies and corre- 

selected template 610, with corresponding values for use in sponding data structures and may perform certain initial 

classifying or shaping traffic within the corresponding QoS processing. For example, to the extent the user table 710 lists 

domain 302, as described herein. In particular, each avail- 5 individual or group network users by title or department, the 

able DS codepoint (0-63), which is loaded in a first column P olic y translator 410 may identify the actual users and 

742, is preferably mapped to a DS mark down value obtaln thcir ff addresses and/or corresponding subnet 

contained in a second column 744, a User Priority value m » sk& * or example, by accessing the repository 326 and/or 

contained in a third column 746 and a Type of Service <ToS) ott * r >nfonnat.on resources, such as DHCP server 329, the 

value contained in a fourth column 748. Preferably, table 10 pohcy translator 410 may enter additional information m 

740 is preconfigured with a set of default values correspond- <f ble 710 : ln P^ 1 "^ 01 '^ tr J m ? lator 1 . 410 T^Z? 

ing to the selected template 610. The network administrator me K ^ lt ^ 326 " ™ CP 1 se ^ r 32 r 9 t0 ° b,am s 

may, however, access table 740 while establishing the high name ' ' P ? dd « S8 """P™*. This information may then 

level policies and modify these values. ^ S6r , ted . ln lhe .corresponding entries of user table 710. 

™™ ^ , 1C Similar information, where appropriate, may be obtained for 

. , .' are exemplary queueAhreshold assignment » groupSiSUch 

as the marketing, administrative and executive 

tables that map DS codepoints to queues and thresholds departmentSj 6om repository 326 or DHCP server 329, and 

depending on the number of queues and thresholds that are emered mt0 ^ ^ m ^ u tt!lBslmt m 

available at a given interface. For example, FIG. 7D .s a first , a mDveDtioai l database query-response application 

queue/threshold assignment table 760 for an interface sup- such ^ SQL ^ (he ^ Directory Access 

porting ^two queues and two upholds per queue. As shown, » ^ eommmkMB ^ ^ repository 326 DH CP 

table 760 includes a column 762 , 764 for each queue and a 329 a!,^^^ ^ policy 410 may be 

row 766, 768 for each threshold. At the intersection of each pre<0nfigur6Q ^ ^ch information, 

column and row is cell 770a-<t that contains the set of DS ^ mformatiorj for column 732 of the application table 

codepoints for the corresponding queue/threshold comb.na- ^ also ^ ^ inserled W 

tion. For example, cell 770a identifies the set of DS code- 25 , 4 a jL T ^. , v . 4 ;L n . i j 

• * / n a o * \ * u * - j lator 410. In particular, policy translator 410 may include a 

points (e.g., 0, 4, 8, etc.) to be assigned queue 1 and , t , t , f • * f- *• / * 

f, , ' . __ AJ .j JJ, 7 . * ™- database that correlates application programs to transport 

threshold 1. Similarly, cell 770d identifies the set of DS , , , ™ i- «• u \u 

, . 4/ i \ t ^ . x . u • j protocol and port number. Many applications, such as the 

codepoints (e.g., 3, 7, 11, 62, 63, etc.) to be assigned queue f * 1 m4^n\ * j -a 

o a *u V u \d • j /.u u ij hyper text transport protocol (HTTP), are assigned specific, 

2 and threshold 2. FIG. 7E is a second queue/threshold „ j TPn/ , m D -* u , - , 

.i *r~^ £• - . * ^ fixed TCP/UDP port numbers, such as port 80, in accordance 

assignment table 774 for an interface supporting 2 queues 30 ... n # * r* ♦ mr?r^\ t£nn tu- • f 

■\a t i i_ u a j_- i * li • | j . , with Request for Comments (RFC) 1700. This information 

and 4 thresholds. Accordingly, table 774 includes two col- . \ , , A , / l1fl . . 

~ma i c l \ jr . OA _ M may be stored by the pohcy translator 410 in a conventional 

umns 776, 778 (one for each queue) and four rows 780-783 J AU . u nr^ i»»aa . , c , _ , 

y r iLtuv. .. , r. , manner. Although RFC 1700 provides fixed port numbers 

(one for each threshold) whose intersections define a plu- f u , A J , f. * n JT r 

rality ofcells 784^. Tlie cells 784a-* contain the set of DS h ^ d , re f ° f t a PP hcatl ° ns > there are sullrnanyapphca- 

, J . A c it _ . . » . • « j ,r tions that do not have predefined, fixed port numbers. The 

codepoints for the corresponding queue/threshold combina- 3:> . , ^ , r . *. * • « 

r r & ^ * p 0r t Qumbers utilized by these application are typically 

selected dynamically by the instances of the application 

FIG. 7F illustrates a third queue/threshold assignment program CXC cuting at the sending and receiving devices at 

table 788 for interfaces supporting 5 queues and 2 thresh- foe time the respective communication session is estab- 

olds. Thus, table 788 includes 5 columns 790-794 and 2 fished. 

rows 795, 796 whose intersections define a plurality of cells 40 To j dentify these dynamicaUy xX «Acd port numbers, the 
798a-/. As desenbed above, each cell 7980-j includes a set - mV . lmeAillXc devices may vabm a stateful i^^n of 
of DS codepoints for the corresponding queue/threshold received kets for ^ veQ COTmuilicatioil ibis 
combmauon. For example cell 798« includes DS code- statefu , bapoii&m ^ reveal the ^ rt numbers xXected by 
pomts 0, 10, etc., while cell 798g mcludes DS codepoints 6, 4s ^ mmipoBa5l>g entities. Asuitable method for performing 
19, 60, etc. such stateful inspections is the Context Based Access Con- 
It should be understood that a queue/threshold assignment feature of the Internetwork Operating System (IOS) 
is preferably generated for each number of queue/threshold from Cisco Systems, Inc. For some application programs, 
combinations supported by the interfaces in the network. corresponding software modules may exist for identifying 
It should be further understood that tables 760, 774 and 50 the selected port numbers for any given session of that 
788 may only assign a subset of DS codepoints to queues application program. For example, software module 
and thresholds, rather than all DS codepoints. For example, @h245.voice.inspect is used to identify the port numbers 
DS codepoints may be segregated into standardized and selected by instances of H323.voice applications. Policy 
private classes or codepoints. Standardized codepoints are translator 410 may be configured with the identity of these 
assigned particular per hop behaviors by the IETF such as 5S modules for insertion in the appropriate entry of application 
expedited or assured forwarding. Private codepoints may be table 710. 

associated with any treatment on an implementation-by- ft should be understood that these data structures (e.g., 

implementation basis. The present invention preferably tables 710, 730, 740, 760, 774 and 788) may be stored by 

maintains the associated behaviors of any standardized policy translator 410 at its storage devices 412tf-412c. It 

codepoints. 60 should be further understood that the policy generator 410 

Generation of Policy Rules Based on the Selected High- may also generate and store additional data structures in 

Level Policies response to the high-level policies selected by the network 

Referring to FIG. 4, these high-level policies, including administrator, 

the financial template 610 (FIG. 6), data structures 710, 730, As tables 710, 730, 740, 760, 774 and 788 are loaded 

740, 760, 774 and 788 (FIGS. 7A-F) and location-specific 65 and/or up-dated, the policy rule generating engine 414 

policies, if any, are then provided to the policy server 322. accesses this information and creates one or more rules that 

In particular, the information is received at the policy can be transmitted to the intermediate devices within the 
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respective QoS domain 302. These rules, moreover, which Next, the policy rule generating engine 414 creates a set 
may include one or more access control lists, are in a format of behavioral rules, which are utilized to instruct interme- 
dial is both readable and executable by the intermediate diate devices how to treat data traffic assigned a particular 
devices, as described below. DS codepoint and/or QoS label by the classification rules. 

First, the policy rule generating engine 414 creates a set 5 Behavioral rules also include one or more objects and are 

of classification rules. Classification rules are generally preferably applied at all compliant intermediate devices 

utilized by intermediate devices to assign a given treatment within the QoS domain 302. Behavioral rules may be 

to network traffic based on certain criteria, such as source or location-specific or location-independent. The preferred for- 

destination address, protocol, port number, application mat °f a location-specific behavioral rule is as follows, 

program, etc. In the preferred embodiment, classification 10 

rules, which include one or more objects, are applied at <iocatbn><d£^ 

specific locations (e.g., an interface or group of interfaces w h ere the "label__Test" object may be <dsc_Test> (e.g., DS 

coupled to un-trusted devices) or at intermediate devices codepoint-N, where N is some number, such as "32") or 

located at the boundary of the QoS domain 302. Location- <QoS_Label_Test> (e.g., QoS Label«N). The preferred 

specific classification rules preferably have the following « format of a location-independent behavioral rule is as fol- 

format: j ows 

<location> <directIon> <acl> <rmo> <Classification_Decision__ 

Rule> <labcL_Tcst><Bchavioral_Rulc_Dccision> 

20 

where, the "location" object identifies a particular interface, g y applying the label__Test to each packet, the interme- 

interface type or role as described below, the "direction" <jiate device determines whether the corresponding 

object refers to whether the rule is to be applied to packets Behavioral_Rule_Decision should be applied. The 

at the input, output or both portions of the interface^), the Behavioral_Rule_Decision object preferably implements 

"access control list" (acl) object contains a list of criteria i$ one or more of ^ possible decisions: select queue, select 

statements to be applied to the packets and the "rule man- queue threshold, set the User_Priority field 114, set the IPP 

agement object" (rmo) instructs the intermediate device how sub-field 210 or shape, mark and/or drop packets satisfying 

to respond if conflicting actions are returned and the me i a bel_Test object. For example, a behavioral rule may 

«aassification_Decision_Rule" object is the actual rule or instruct the intermediate devices to set to "6" both the 

rules being implemented to packets matching the acl object. ^ User_Priority field 114 and the IPP sub-field 210 of all 

Although the rmo preferably instructs the intermediate frames or packets whose DS codepoint is "61". Similarly, 

device to select the best match, other tie-breaking solutions another behavioral rule may instruct intermediate devices to 

may be presented. The second format of a classification rule, place ^ meS sages whose DS codepoint is "32" (e.g., data 

which is used with intermediate devices located at the frames from a stock exchange application) in a high priority 

boundary of the QoS domain 302, appears as follows. 3S queue. Behavioral rules may similarly specify a particular 

_ .„ . _ . . „ , treatment based on the QoS label, user priority or type of 

<acl><mo> classification Decisioa_Rule> - . - , r *\, * * . 

service of a packet or frame, such as fast or reliable service. 

In addition, the acl object may have one of two formats. In response, an intermediate device may select a particular 

(1) destination IP address or destination IP maskxsource transmission link. Since behavioral rules lack an rmo object, 
IP address or source IP maskxprotocolxsource and/or 40 intermediate devices apply all behavioral rules they support, 
destination port numbers> or not me first one - If multiple behavioral rules specify 

(2) <destination or source MAC address> contradictory actions, the last one preferably takes prece- 
In the preferred embodiment, classification rules are used dence. 

for one of three primary purposes: (1) assigning a DS To implement traffic management policies that are inde- 

codepoint to packets, (2) assigning a QoS label to packets 45 pendent of DS codepoints and/or QoS labels, the policy rule 

while they are processed within an intermediate device or generating engine 414 preferably creates a plurality of 

(3) instructing an intermediate device to shape, mark and/or configuration rules. In general, configuration rules instruct 
drop out-of-profile traffic. For example, a classification rule intermediate devices how to set-up their various traffic 
may be used at the border intermediate devices instructing management components or mechanisms. Configuration 
them to drop packets with a given source IP address or IP 50 ndes also have a location-specific and location-independent 
mask. Aclassification rule may also be used to assign a given format which are preferably as follows. 

DS codepoint to all traffic associated with a given IP mask . t . .. t . c t . „ , ^ • • 

. , . °Z „ <lccaLi£>n><direcUon><Conngu ration Rulc_L>ecision> 

(e.g., all traffic from the marketing department) or all traffic 

associated with a given port (e.g., port 23 for Telnet). <Configuration_Rule_Decision> 

As described above, only sixty-four DS codepoints are 55 The "Configuration_Rule ^Decision" object may be used 

supported by the DS field 220. To extend the concept of to specify certain global parameters or algorithm param- 

packet-specific differentiated services beyond sixty-four eters. For example, the Configuration^ RuleJDecision 

options, the present invention also utilizes Quality of Ser- object of a given configuration rule may contain a list of 

vice (QoS) labels. A QoS label is a name string of any length congestion algorithms in descending order of preference, 

(e.g., an integer, an alphanumeric string, etc.) that may be 60 such as WFQ, WRR, PQ and none. In addition, if an 

associated with a packet while it remains internal to the intermediate device uses tail drop and supports four different 

intermediate device. Classification rules may also be used to drop thresholds per queue, a configuration rule may set the 

assign QoS labels to packets based on their source or four thresholds (e.g., at 50%, 80%, 95% and 100% of the 

destination address, protocol, application, etc. As described buffer limit) and assign a name to each threshold. Similarly, 

below, intermediate devices maintain a mapping of QoS 65 if an intermediate device supports WRED, a configuration 

labels to traffic types and to the corresponding action to be mle may be used to set the minimum threshold, maximum 

taken or service to be provided. threshold and probability constant for each weight. Also, for 
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WRR, a configuration rule may assign the weights to the mines that router 318 has five queues 530a-530e per inter- 
various queues.- face 532. Additionally, traffic management controller 512 
The rule generating engine 414 may also combine several may determine that each queue 530a-530e may support 
related rules into a transaction. More specifically, rules that either RED or tail dropping and supports two settable 
are meaningful only if applied simultaneously and which 5 thresholds per queue. The traffic management controller 512 
may cause transient misconfigurations if implemented one at ma Y forth* identify the roles assigned to one or more of its 
a time, are combined into a transaction. For example, a interfaces. 

network administrator may want to log as well as drop all Ro } es Preferably specify the type or nature of an interface 
attempts to access a subnetwork or LAN by a known hacker. or ^-interface. For example an interface may be trusted or 
* , 4 , 4 , • j c un-trusted. It may configured to perform policing and snap- 
Rather than issue a separate rule that only provides for 10 . c t < *l* *. i i* u 
. . , , if j . t_- i_ - u. ing of traffic from a subscribing network. It may be a 
logging and a subsequent rule for dropping, which might inlefface and thus J^plex x volumes of 

result in transitory access by the hacker, these two rules (log ^ tQ ^ backbone network or it m 5e a QoS border 

and drop) are preferably combined into a single transaction. interface. An interface may also have more than one role. 

A "transaction start" object is preferably used tojndicate the ^ particular rolc or roles of m i ater face are preferably 

start of a set of rules forming a transaction and a "transaction is assigned by a network administrator utilizing a management 

end" object indicates the end. As described below, the rules protocol, such as Simple Network Management Protocol 

and transactions are accessible by the device-specific filter (SNMP) or CiscoWorks from Cisco Systems, Inc., during 

entity 416 which collects relevant rules for transmission to configuration of the interface. A corresponding flag, label or 

the intermediate devices. name may be maintained by the device to identify the 

To generate the particular rules for a given QoS domain, 20 various roles of its interfaces. For router 318, the interface 

the policy rule generating engine 414 preferably performs a coupled to domain 304 may be assigned the role of policing 

conventional algorithmic transformation on the correspond- and shaping traffic from subscribing domain 304 in accor- 

ing data structures (e.g., tables 710, 730, 740, 760 and 770). dance with one or more traffic specifiers. 

This algorithmic transformation converts the information The assignment of roles facilitates the creation and imple- 

from the data structures into the necessary access control list 25 mentation of network policies. In particular, global policies 

objects and classification, behavioral and configuration rule may be defined that apply to all interfaces regardless of their 

objects of the corresponding rules. Such algorithmic trans- particular roles. Local policies apply to the role at one 

formations are well-known to those skilled in the art. The specific interface. In other words, policies may be assigned 

objects comprising the various rules, including the rule to roles and roles may be assigned to the various interfaces 

objects themselves, may be defined using Abstract Syntax 30 in the network. Thus, by simply changing the role at a given 

Notation One (ASN.l) which is well-known to those skilled interface, a network administrator ensures that the appro- 

in the art. priale network policies are automatically propagated to and 

The policy translator 410 also interfaces with the policy implemented by that interface. Each role, moreover, may 

validation tool (PVT) 413 to identify any conflicting poli- have a corresponding precedence to resolve any conflicts 

cies. That is, the PVT 413 examines the high-level policies 35 that might arise at an interface assigned more than one role, 

and performs a conflict check. In particular, the PVT 413 All of this information may be transmitted by the traffic 

determines whether the policies ascribe conflicting treat- management controller 512 to the communication engine 

ments to the same traffic. For example, two polices may call 510 along with an instruction to send to the information to 

for different shaping or marking to be applied to the same the policy server 322. In response, the communication 

traffic stream. Another policy may be incomplete by failing 40 engine 510 preferably formulates a Configuration Request 

to specify a requisite condition. All conflicts detected by the message that includes the information received from the 

PVT 413 are reported to the policy translator 410. The PVT traffic management controller 512 as a series of objects. The 

413 may also determine whether sufficient network Configuration Request message is then transmitted by the 

resources exist to implement the policies. For example, a communication engine 510 to the policy server 322. 

policy may require at least one network path having 3 or 45 At the policy server 322, the Configuration Request 

more queues at each intermediate device along the path. If message is received at the corresponding communication 

no such path exists, the PVT 413 preferably reports this engine 418 and handed to the device-specific filter entity 

condition to the policy translator 410. 416. The device-specific filter entity 416 examines the 

Propagation of the Policy Rules to Intermediate Devices Configuration Request to determine what types of network 

In operation, intermediate devices within a QoS domain 50 resources and services are available at router 318 and what 

will request traffic management information from the local roles if any are associated with its interfaces. In particular, 

policy server. This information will then be utilized by the the device-specific filter entity 416 determines that router 

intermediate devices in setting their resources and in making 318 supports both RED and tail dropping, has five queues 

traffic management decisions. In the preferred embodiment, with two settable thresholds per queue and an interface 

the policy server and intermediate devices utilize an exten- 55 whose role is to police and shape traffic from a subscribing 

sion to the Common Open Policy Service (COPS) client- network. Based on this determination, the device-specific 

server communication protocol. In particular, the policy filter entity 416 obtains a particular set of transactions and/or 

server and the intermediate devices preferably utilize the rules from the policy rule generating engine 414 that cor- 

COPS extension described in COPS Usage for Differentia responds to the network services and resources available at 

ated Services, an Internet Draft Document, dated August 60 router 318. For example, the device -specific filter entity 416 

1998, from the Network Working Group of the IETF, which may obtain one or more classification rules instructing router 

is hereby incorporated by reference in its entirety. 318 to classify packets from a given source (e.g., domain 

More specifically, referring to FIGS. 4 and 5, upon 304) with a given DS codepoint and/or QoS label. Rules for 

initialization of router 318, the traffic management controller policing and shaping traffic from domain 304 may also be 

512 polls the various components and mechanisms to deter- 65 obtained. 

mine what network resources and services router 318 has to Additionally, the device-specific filter entity 416 may 

offer. For example, traffic management controller 512 deter- obtain one or more behavioral rules that instruct router 318 



02/06/2004, EAST Version: 1.4.1 



6,1< 

19 

to map packets with various DS codepoints to specific 
queues and thresholds in accordance with the information 
contained in table 788 (FIG. 7F). More specifically, a first 
behavioral rule may provide for mapping packets with a DS 
codepoint of 0, 10, etc. (e.g., DS codepoints corresponding 
to cell 798a) to queue 1 (e.g., queue 530a) and the lower 
threshold. Another behavioral rule may map packets with a 
DS codepoint of 6, 19, 60, etc. (e.g., DS codepoints corre- 
sponding to cell 798^) to queue 2 (e.g., queue 530b) and the 
second threshold and so on. Thus, a set of behavioral rules 
are obtained that will allow router 318 to map various 
packets based on their DS codepoints to queues 530<z-530e 
and corresponding thresholds. 

Filter entity 416 may also obtain one or more configura- 
tion rules. For example, filter entity 416 may obtain a 
configuration rule for use in setting the scheduler 522. Id 
particular, a configuration rule may provide a list of sched- 
uling algorithms in a preferred order (e.g., WFQ, WRR and 
Priority Queuing). Another configuration rule may provide 
that Virtual Circuit merging should be applied where avail- 
able. Filter entity 416 may access the policy rules via a 
virtual information store, such as the Policy Information 
Base (PIB) specified in the draft COPS Usage for Differen- 
tiated Services document. 

Once the device -specific filter entity 416 has obtained a 
set of transactions or rules for router 318, it provides them 
to the communication engine 418 which, in turn, loads them 
into one or more Decision Messages. These Decision Mes- 
sages are then transmitted by communication engine 418 to 
router 318. Communication engine 510 at router 318 
receives the Decision Messages, extracts the rules contained 
therein and provides them to the traffic management con- 
troller 512 where they may be decoded by policy rule 
decoder 541. Traffic management controller 512 may also 
build one or more data structures (such as tables) to store the 
mappings contained in any received behavioral rules. 

It should be understood that intermediate devices leam of 
the identity of the policy server 322 through any conven- 
tional means, such as manual configuration or a device 
configuration protocol. 

Implementation of the Policy Rules at Specific Interme- 
diate Devices 

First, traffic management controller 512 proceeds to con- 
figure its components and mechanisms in accordance with 
the instructions contained in the classification rules. For 
example, to the extent router 318 supports Virtual Circuit 
merging, this feature is enabled. Similarly, to the extent 
scheduler 522 can implement WRR and Priority Queuing, 
traffic management controller 512 configures it to use WRR. 
As packets are received at router 318, they axe examined by 
the packet/frame classifier 516 which reports the contents of 
the packet's User_Priority field 114, IPP sub-field 210 
and/or DS field 220 to the traffic management controller 512. 
Packet/frame classifier 516 may also supply other packet 
header information to the traffic management controller, 
such as source IP address, port, protocol, etc. In response, 
the traffic management controller 512 relies on the received 
behavioral rules to determine in which queue 530a-530e the 
corresponding packet should be placed for forwarding and to 
instruct the queue selector/mapping entity 520 accordingly. 
Similarly, router 318 relies on the behavioral rules to deter- 
mine which packets to mark down and/or drop. 

Furthermore, to the extent router 318 policies traffic 
received from subscribing domain 304, additional configu- 
ration rules may be provided to router 318 for setting its 
traffic conditioner entity 518. For example, one or more 
configuration rules may instruct router 318 to activate its 
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meter entity 524 so as to monitor the traffic arriving from 
domain 304. If out-of -profile traffic is to be marked through 
marker entity 526, classification rules may be provided for 
re-setting the DS codepoints of traffic that is out-of-profile 

5 based on the information contained in table 740. 
Alternatively, if out-of-profile traffic is to be shaped or 
dropped, other configuration rules may instruct the associ- 
ated traffic management controller 512 to set the shaper/ 
dropper entity 528 accordingly. 

1Q This process is similarly repeated at each of the interme- 
diate devices within the QoS domain 302 that are compliant 
with the present invention. Depending on the particular 
network resources and services available at each intermedi- 
ate device, a different set of rules will be selected by the 
device-specific filter entity 416. For example, switch 306 

15 may similarly send a Configuration Request message to 
policy server 322 and receive a Decision Message. 
Furthermore, based on the information contained in the 
Configuration Request message from switch 306, including 
the fact that switch 306 is coupled to one or more un-trusted 

20 devices, such as end stations 332-336, the device-specific 
filter entity 416 may obtain one or more classification rules 
for classifying traffic received from these un-tmsted devices. 
However, since switch 306 may not operate at the network 
layer, filter entity 416 may obtain classification rules for 

25 setting the User_Priority field 114 of packets or frames 
received on ports coupled to devices 332—336, depending on 
various parameters of the packets or frames, such as port 
number, protocol type, etc. Filter entity 416 may also obtain 
behavioral rules instructing switch 306 how to handle pack- 

30 ets based on the user priority value rather than DS codepoint, 
since switch 306 may not be DS- compliant. Alternatively, 
policy server 322 may provide one or more classification 
rules that map User Priority values to DS codepoints so that 
switch 306 may apply one or more behavioral rules that are 

3S dependent on DS codepoints to packets that have a User 
Priority value. 

' It should also be understood that less than all of the 
intermediate devices within a given network may be con- 
figured to implement the present invention, although in the 

4Q preferred embodiment, all of the intermediate devices will 
be so configured 

The foregoing description has been directed to specific 
embodiments of this invention. It will be apparent, however, 
that other variations and modifications may be made to the 

45 described embodiments, with the attainment of some or all 
of their advantages. For example, other client-server com- 
munications protocols, besides COPS, may be utilized by 
the policy server and intermediate devices. In addition, the 
present invention may also be utilized with other network 

50 layer protocols, such as IPv6, whose addresses are 128 bits 
long. The present invention may also be used to classify 
other fields of data messages, such as the User Priority field 
of the Inter-Switch link (ISL) mechanism from Cisco 
Systems, Inc. Therefore, it is the object of the appended 

S5 claims to cover all such variations and modifications as 
come within the true spirit and scope of the invention. 
What is claimed is: 

1. A method for implementing high-level, device- 
independent traffic management policies within a computer 
60 network having multiple, dissimilar intermediate network 
devices, the method comprising the steps of: 
selecting one or more high-level policies; 
translating the one or more high-level policies into a 
plurality of executable rules; 
65 receiving a request for traffic management policies from 
an intermediate device supporting a set of network 
services; 
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selecting, in response to the request, one or more rules that 
are compatible with the network services supported by - 
the intermediate device; 

forwarding the selected one or more rules to the interme- 
diate device; and 5 

utilizing the one or more rules to configure the set of 
network services at the intermediate device to realize 
the selected high-level policies. 

2. The method of claim 1 wherein the rules formulated by 
the step of translating include at least one of classification, 10 
behavioral and configuration rules. 

3. The method of claim 2 wherein the step of selecting 
further includes the step of selecting a predefined traffic 
template and loading the selected template with user and 
application information. 15 

4. The method of claim 3 further comprising the step of 
up-dating one or more data structures associated with the 
selected template as user and application information is 
inserted therein. 

5. The method of claim 4 wherein at least one classifies- 20 
tion rule includes an access control list object, a rule 
management object and a classification decision rule object. 

6. The method of claim 5 wherein the at least one 
classification rule further includes a location object and a 
direction object 25 

7. The method of claim 6 wherein at least one behavioral 
rule includes a label test object and a behavioral rule object. 

8. The method of claim 7 wherein the at least one 
behavioral rule further includes a location object and a 
direction object 30 

9. The method of claim 8 wherein at least one configu- 
ration rule includes a configuration rule object. 

10. The method of claim 9 wherein the at least one 
configuration rule further includes a location object and a 
direction object 35 

U. The method of claim 10 wherein the step of translating 
includes the step of performing an algorithmic transforma- 
tion on the one or more data structures to obtain the 
corresponding classification, behavioral and configuration 
rules. 40 

12. A policy server for use in implementing high-level, 
device-independent traffic management policies within a 
computer network having multiple, dissimilar intermediate 
network devices and one or more information resources, the 
policy server comprising: 
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means for receiving the high-level traffic management 
policies including one or more corresponding data 
structures; 

a policy translator that is configured to access the one or 
more information resources for inserting information in 
the data structures; 

a policy rule generating engine coupled to the policy 
generator and configured to translate the data structures 
into one or more executable traffic management rules; 

a device-specific filter entity coupled to the policy rule 
generating engine and configured to select a subset of 
the one or more traffic management rules in response to 
a request from a respective intermediate network 
device having particular traffic management resources 
and services; and 

and a communication engine coupled to the device- 
specific filter entity for exchanging requests from inter- 
mediate network devices and selected subsets of the 
one or more traffic management rules. 

13. The policy server of claim 12 wherein the one or more 
corresponding data structures include a user table that maps 
individual network users identified in the high-level polices 
to network addresses and maps network groups to network 
masks. 

14. The policy server of claim 13 wherein the one or more 
corresponding data structures further include an application 
table that maps application programs identified in the high- 
level policies to network protocol and port number. 

15. The policy server of claim 14 wherein the high-level 
traffic management policies are represented by a selected 
traffic template that maps each of a plurality of traffic types 
defined by the selected traffic template with at least one of 
a differentiated service (DS) codepoint, a network user and 
an application program. 

16. The policy server of claim 15 wherein the one or more 
corresponding data structures further include a queue assign- 
ment table that maps DS codepoints to queue numbers. 

17. The policy server of claim 16 wherein the one or more 
corresponding data structures further include a queue thresh- 
old table that maps DS codepoints to queue thresholds. 

18. The policy server of claim 17 wherein the one or more 
corresponding data structures further include a priority table 
that maps DS codepoints to DS mark down values, user 
priority values and type of service values. 

***** 
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